PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data. An update to the standard PCI DSS is available as V4.0.
To be able to comply with this standard, specifically on page 141, we are implementing a tool to be able to manage and control which scripts are running or having access to our platform.
Level Of Impact
Affected Interfaces
Affected Users
N/A
Admin
Administrators
Solution
We built an admin interface under Operations -> Platform Config -> Site -> Content Security Policy (CSP) settings
This interface allows you to configure and manage each script running on your platform
- Report blocked scripts in bugsnag – Controls whether CSP violations are sent to WebUI bugsnag at Jumbo.
- Set policy to ‘report-only’ – Controls whether CSP violations are blocked or if they report only.
- Sources for whitelisted scripts (‘script-src’) – List of user-defined sources that are concatenated together to make up the script-src directive of the
content-security-policy
header.
Further documentation on how to use CSP features and implement them can be found here.
Benefits
Providing the capability to meet PCI-DSS v4 standards to be able to do a self-certification
Possibility to meet compliance standards that may apply from the payment gateways or by payment card authorities
Enuring the protection of all customer data with extra security feature implementations.
Need To Know
- PCI security standard guidelines can be found here.
- PCI DSS v4 document.